Chapter 9
Data Protection, Privacy, Security, and Risk Management

Managing data through its lifecycle depends on a set of foundational processes that enable the ongoing use and enhancement of data. These include protecting data from unauthorized use, managing Metadata (the knowledge required to understand and use data), and managing the quality of data. As noted earlier, foundational activities must be accounted for as part of planning and design and they must be carried out operationally. These activities are also supported by and integral to the success of governance structures (see Figure 1).

This chapter will discuss data protection and security. Data Security includes the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets.

Data security goals

The specifics of data security (which data needs to be protected, for example) differ between industries and countries. But the goal of data security practices is the same: to protect information assets in alignment with privacy and confidentiality regulations, contractual agreements, and business requirements. These requirements come from:

• Stakeholders: Organizations must recognize the privacy and confidentiality needs of their stakeholders, including clients, patients, students, citizens, suppliers, or business partners. Everyone in an organization must be a responsible trustee of data about stakeholders.
• Government regulations: Government regulations are in place to protect the interests of some stakeholders. Regulations have different goals. Some restrict access to information, while others ensure openness, transparency, and accountability. Regulations differ between countries, which means organizations that transact business internationally need to be aware of and able to meet data protection requirements where they do business.
• Proprietary business concerns: Each organization has proprietary data to protect. An organization’s data provides insight into its customers and, when leveraged effectively, can provide a competitive advantage. If confidential data is stolen or breached, an organization can lose competitive advantage.
• Legitimate access needs: When securing data, organizations must also enable legitimate access. Business processes require individuals in certain roles be able to access, use, and maintain data.
• Contractual obligations: Contractual and non-disclosure agreements also influence data security requirements. For example, the PCI Standard, an agreement among credit card companies and individual business enterprises, demands that certain types of data be protected in defined ways (e.g., mandatory encryption for customer passwords).

Effective data security policies and procedures allow the right people to use and update data in the right way, and restrict all inappropriate access and updates (see Figure 24).40

Understanding and complying with the privacy and confidentiality interests and needs of all stakeholders is in the best interest of every organization. Client, supplier, and constituent relationships all trust in, and depend on, the responsible use of data.

The goals of data security activities include:

• Enabling appropriate access and preventing inappropriate access to enterprise data assets
• Enabling compliance with regulations and policies for privacy, protection, and confidentiality
• Ensuring that stakeholder requirements for privacy and confidentiality are met

Data security principles

Because specific requirements change over time and differ between places, data security practices should follow guiding principles, including:

• Collaboration: Data Security is a collaborative effort involving IT security administrators, data stewards/data governance, internal and external audit teams, and the legal department.
• Enterprise approach: Data Security standards and policies must be applied consistently across the entire organization.
• Proactive management: Success in data security management depends on being proactive and dynamic, engaging all stakeholders, managing change, and overcoming organizational or cultural bottlenecks such as traditional separation of responsibilities between information security, information technology, data administration, and business stakeholders.
• Clear accountability: Roles and responsibilities must be clearly defined, including the ‘chain of custody’ for data across organizations and roles.
• Metadata-driven: Security classification for data elements is an essential part of data definition.
• Reduce risk by reducing exposure: Minimize sensitive/confidential data proliferation, especially to non-production environments.

Risk reduction and business growth are the primary drivers of data security activities. Ensuring that an organization’s data is secure reduces risk and adds competitive advantage. Security itself is a valuable asset. There is also an ethical imperative to protect data (see Chapter 4).

Data security risks are associated with reputation, regulatory compliance, fiduciary responsibility for the enterprise and stockholders, and a legal and moral responsibility to protect the private and sensitive information of employees, business partners, and customers. Data breaches can cause a loss of reputation and customer confidence. Organizations can be fined for failure to comply with regulations and contractual obligations. Data security issues, breaches, and unwarranted restrictions on employee access to data can directly impact operational success.

Business growth includes attaining and sustaining operational business goals. Globally, electronic technology is pervasive in the office, marketplace, and home. Desktop and laptop computers, smart phones, tablets, and other devices are important elements of most business and government operations. The explosive growth of e-commerce has changed how organizations offer goods and services. In their personal lives, individuals have become accustomed to conducting business online with goods providers, medical agencies, utilities, governmental offices, and financial institutions. Trusted e-commerce drives profit and growth. Product and service quality relate to information security in a quite direct fashion: robust information security enables transactions and builds customer confidence.

The goals of mitigating risks and growing the business can be complementary and mutually supportive if they are integrated into a coherent strategy of information management and protection.

Data security and enterprise data management

As data regulations increase — usually in response to data thefts and breaches — so do compliance requirements. Security organizations are often tasked with managing not only IT compliance requirements, but also policies, practices, data classifications, and access authorization rules across the organization.

As with other aspects of data management, it is best to address data security as an enterprise initiative, and to do so across the data lifecycle (see Figure 25). Without a coordinated effort, business units will find different solutions to security needs, increasing overall cost while potentially reducing security due to inconsistent protection. Ineffective security architecture or processes can cost organizations through breaches and lost productivity. An operational security strategy that is properly funded, systems-oriented, and consistent across the enterprise will reduce these risks.

Data and information security begin by assessing the current state of an organization’s data in order to identify which data requires protection. The process includes the following steps:

• Identify and classify sensitive data assets: Depending on the industry and organization, there can be few or many assets, and a range of sensitive data – personal identification, medical, financial, etc.
• Locate sensitive data throughout the enterprise: Security requirements may differ, depending on where data is stored. A significant amount of sensitive data in a single location poses a high risk due to the damage possible from a single breach.
• Determine how each asset needs to be protected: The measures necessary to ensure security can vary between assets, depending on data content and the type of technology.
• Identify how this information interacts with business processes: Analysis of business processes is required to determine what access is allowed and under what conditions.

In addition to classifying the data itself, it is necessary to assess external threats, such as those from hackers and criminals, and internal risks posed by employees and processes. Much data is lost or exposed through the ignorance of employees who did not realize that the information was highly sensitive or who bypassed security policies. The customer sales data left on a web server that is hacked, the employee database downloaded onto a contractor’s laptop that is subsequently stolen, and trade secrets left unencrypted in an executive’s computer which goes missing, all result from missing or unenforced security controls.

The impact of security breaches on well-established brands in recent years has resulted in huge financial losses and a drop in customer trust. Not only are the external threats from the criminal hacking community becoming more sophisticated and targeted, the amount of damage done by external and internal threats, intentional or unintentional, has also been steadily increasing over the years.41

Data security metadata

One approach to managing sensitive data is via Metadata. Security classifications and regulatory sensitivity can be captured at the data element and data set level. Technology exists to tag data so that Metadata travel with the information as it flows across the enterprise. Developing a master repository of data characteristics means all parts of the enterprise can know precisely what level of protection sensitive information requires.

If a common standard is enforced, this approach enables multiple departments, business units, and vendors to use the same Metadata. Standard security Metadata can optimize data protection and guide business usage and technical support processes, leading to lower costs. This layer of information security can help prevent unauthorized access to and misuse of data assets.

When sensitive data is correctly identified as such, organizations build trust with their customers and partners. Security-related Metadata itself becomes a strategic asset, increasing the quality of transactions, reporting, and business analysis, while reducing the cost of protection and associated risks that lost or stolen information cause.

Data Classification is a prerequisite to managing data security. Two concepts drive security restrictions:

• Confidentiality level: Confidential means secret or private. Organizations determine which types of data should not be known outside the organization, or even within certain parts of the organization. Confidential information is shared only on a ‘need-to-know’ basis. Levels of confidentiality depend on who needs to know certain kinds of information.
• Regulatory categories: These are assigned based on external rules, such as laws, treaties, customs agreements, and industry regulations. Regulatory information is shared on an ‘allowed-to-know’ basis. The ways in which data can be shared are governed by the details of the regulation.

The main difference between confidential and regulatory restrictions is where the restriction originates: confidentiality restrictions originate internally, while regulatory restrictions are externally-defined.

Another difference is that any data set, such as a document or a database view, can only have one confidentiality level. This level is established based on the most sensitive (and highest classified) item in the data set. Regulatory categorizations, however, are additive. A single data set may have data restricted based on multiple regulatory categories. To assure regulatory compliance, enforce all actions required for each category, along with the confidentiality requirements.

When applied to the user entitlement (the aggregation of the particular data elements to which a user authorization provides access), all protection policies must be followed, regardless of whether they originated internally or externally.

Data security architecture

Enterprise architecture defines the information assets and components of an enterprise, their interrelationships, and business rules regarding transformation, principles, and guidelines. Data Security architecture is the component of enterprise architecture that describes how data security is implemented within the enterprise to satisfy the business rules and external regulations. Architecture influences:

• Tools used to manage data security
• Data encryption standards and mechanisms
• Access guidelines to external vendors and contractors
• Data transmission protocols over the internet
• Documentation requirements
• Remote access standards
• Security breach incident-reporting procedures

Security architecture is particularly important for the integration of data between:

• Internal systems and business units
• An organization and its external business partners
• An organization and regulatory agencies

For example, an architectural pattern of a service-oriented integration mechanism between internal and external parties would call for a data security implementation different from traditional electronic data interchange (EDI) integration architecture.

For a large enterprise, the formal liaison function between these disciplines is essential to protecting information from misuse, theft, exposure, and loss. Each party must be aware of elements that concern the others, so they can speak a common language and work toward shared goals.

Planning for data security

Planning for security includes process planning as well as data classification and architectural planning. It includes security not only of systems, but also of facilities, devices, and credentials. Implementing good practices starts with identifying requirements. These are based largely on regulations for particular industries and geographies. It is important to ensure an organization can meet requirements that may be driven by those with whom it interacts; for example, the European Union has stricter privacy requirements than does the United States. Requirements will also be based on risks connected with the system landscape of the organization itself.

Requirements should be formalized into enterprise-wide policies and supported by clear standards for things like classification levels. Policies and standards need to be maintained as regulations evolve. Staff will require ongoing training, and data access and system usage will need to be monitored to ensure compliance.

Corporate culture deeply influences how we keep data secure. Organizations often end up reacting to crises, rather than proactively managing accountability and ensuring auditability. While perfect data security is next to impossible, the best way to avoid data security breaches is to build awareness and understanding of security requirements, policies, and procedures. Organizations can increase compliance through:

• Training: Promotion of standards through training on security initiatives at all levels of the organization. Follow training with evaluation mechanisms such as online tests focused on improving employee awareness. Such training and testing should be mandatory and a pre-requisite for employee performance evaluation.
• Consistent policies: Definition of data security policies and regulatory compliance policies for workgroups and departments that complement and align with enterprise policies. Adopting an ‘act local’ mindset helps engage people more actively.
• Measure the benefits of security: Link data security benefits to organizational initiatives. Organizations should include objective metrics for data security activities in their balanced scorecard measurements and project evaluations.
• Set security requirements for vendors: Include data security requirements in service level agreements and outsourcing contractual obligations. SLA agreements must include all data protection actions.
• Build a sense of urgency: Emphasize legal, contractual, and regulatory requirements to build a sense of urgency and an internal framework for data security management.
• Ongoing communications: Supporting a continual employee security-training program informing workers of safe computing practices and current threats. An ongoing program communicates that safe computing is important enough for management to support it.

What you need to know

• Managing data security is foundational to data management success. Proper data protection is required to meet stakeholder expectations, and it is also the right thing to do for the enterprise.
• Data that is managed following data management best practices is also easier to protect, since it can be classified and tagged with a high degree of reliability.
• These practices include: taking an enterprise approach to security planning, establishing a reliable security architecture, and managing Metadata related to security.
• The necessity to protect data requires ensuring vendors and partners secure their data.
• Robust, demonstrable data security practices can become a differentiator, because they build trust.